devuan jessie gpg 2.2.x thunderbird/apparmor/enigmail rules

Fulano Diego Perez fulanoperez at cryptolab.net
Wed Nov 1 05:46:16 CET 2017


any suggestions to complete apparmor rules to enable all functionality
for a /usr/local gpg install with thunderbird/gpg/enigmail ?

currently appended rules below to the default thunderbird profile allow
mostly all functionality except i cannot enable the commented out rules
otherwise enigmail does not detect gnupg and fails to start

as soon i comment out, enigmail fails...

i think my previous email with problems with dirmngr could be related
and if those are debugged, could help here

below allows most thunderbird/enigmail functionality except importing
keyserver keys

/etc/apparmor.d/local/usr.bin.thunderbird:

/usr/local/bin/gpg               Cx -> gpg,
/usr/local/bin/gpg-error         Cx -> gpg,
#/usr/local/bin/dirmngr           Cx -> gpg,
/usr/local/bin/gpg-agent         Cx -> gpg,
/usr/local/bin/gpgconf           Cx -> gpg,
/usr/local/bin/gpg-connect-agent Cx -> gpg,

#/proc/**/fd/ r,
owner @{HOME}/.gnupg/tofu.db rwk,
#owner @{HOME}/.gnupg/tofu.db-journal rwk,
/usr/local/bin/gpg mr,
/usr/local/bin/gpg-error mr,
#/usr/local/bin/dirmngr mr,
/usr/local/bin/gpg-agent mr,
/usr/local/bin/gpgconf mr,
/usr/local/bin/gpg-connect-agent mr,
/usr/lib/gnupg/gpgkeys_* ix,

/usr/local/lib/** mr,

this profile still logs below possible problems:

[51155.130813] audit: type=1400 audit(1509507779.968:128572837):
apparmor="DENIED" operation="mknod" profile="thunderbird//gpg"
name="/home/user/.gnupg/tofu.db-journal" pid=20072 comm="gpg"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[51155.139191] audit: type=1400 audit(1509507779.976:128572838):
apparmor="DENIED" operation="mknod" profile="thunderbird//gpg"
name="/home/user/.gnupg/tofu.db-journal" pid=20072 comm="gpg"
requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
[51161.198110] audit: type=1400 audit(1509507786.040:128572839):
apparmor="DENIED" operation="open" profile="thunderbird//gpg"
name="/proc/20077/fd/" pid=20077 comm="gpg" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
[51161.198390] audit: type=1400 audit(1509507786.040:128572840):
apparmor="DENIED" operation="exec" profile="thunderbird//gpg"
name="/usr/local/bin/dirmngr" pid=20077 comm="gpg" requested_mask="x"
denied_mask="x" fsuid=1000 ouid=0
[51177.540706] audit: type=1400 audit(1509507802.392:128572841):
apparmor="DENIED" operation="open" profile="thunderbird//gpg"
name="/proc/20080/fd/" pid=20080 comm="gpg" requested_mask="r"
denied_mask="r" fsuid=1000 ouid=1000
[51177.541002] audit: type=1400 audit(1509507802.392:128572842):
apparmor="DENIED" operation="exec" profile="thunderbird//gpg"
name="/usr/local/bin/dirmngr" pid=20080 comm="gpg" requested_mask="x"
denied_mask="x" fsuid=1000 ouid=0








More information about the Gnupg-users mailing list